Mageia 2022-0168: python-twisted security update
Summary
CVE-2022-21712: It was discovered that Twisted incorrectly filtered HTTP
headers when clients are being redirected to another origin. A remote
attacker could use this issue to obtain sensitive information.
CVE-2022-21716: It was discovered that Twisted incorrectly processed SSH
handshake data on connection establishments. A remote attacker could use
this issue to cause Twisted to crash, resulting in a denial of service.
GHSA-rv6r-3f5q-9rgx
The Twisted SSH client and server implementation naively accepted an
infinite amount of data for the peer's SSH version identifier.
GHSA-c2jg-hw38-jrqq and CVE-2022-24801
The Twisted Web HTTP 1.1 server, located in the twisted.web.http module,
parsed several HTTP request constructs more leniently than permitted by
RFC 7230
GHSA-92x2-jw7w-xvvx: twisted.web.client.getPage,
twisted.web.client.downladPage, and the associated implementation classes
(HTTPPageGetter, HTTPPageDownloader, HTTPClientFactory, HTTPDownloader)
have been removed because they do...
References
- https://bugs.mageia.org/show_bug.cgi?id=30067
- https://lists.suse.com/pipermail/sle-security-updates/2022-February/010263.html
- https://www.debian.org/lts/security/2022/dla-2927
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/233XDDM6URC3DPBBAKQV2AZQY6TBXJRV/
- https://www.debian.org/lts/security/2022/dla-2938
- https://ubuntu.com/security/notices/USN-5354-1
- https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HJFVJUKPT7GYOWBWGQSIVM3OEHKOEVVJ/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21712
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21716
Resolution
MGASA-2022-0168 - Updated python-twisted packages fix security vulnerability
SRPMS
- 8/core/python-twisted-22.4.0-1.mga8